Xuxueli XXL-Job Server-Side Request Forgery Vulnerability in HTTP Job Handler

A critical server-side request forgery (SSRF) vulnerability has been identified in Xuxueli XXL-Job versions through 3.1.1. The issue resides in the HTTP Job Handler function within the SampleXxlJob.java file. This vulnerability allows remote attackers to manipulate the target URI parameter for network requests, lacking adequate security measures, and potentially probe or exploit internal services of the affected system.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to internal services, potentially leading to unauthorized access or manipulation of data.

Reproduction

To reproduce this vulnerability, send a POST request to the '/run' endpoint with the 'executorHandler' parameter set to 'httpJobHandler'. Include the 'executorParams' parameter with a crafted value that specifies a URL to an internal service. The server will then make a request to the specified URL, demonstrating the SSRF vulnerability.